Create CVS vulnerability findings per sbom_occurrence_ref

Schmil Mondererrequested to merge
schmil/581948/cvs-ingestion-finding-per-occurrence-ref into master

Summary

Update the CVS ingestion flow to create a vulnerability finding for each sbom_occurrence_ref associated with an affected sbom_occurrence, rather than a single finding per occurrence scoped to the default branch context.

Motivation

When a project has multiple tracked contexts (e.g. default branch + a feature branch), each sbom_occurrence_ref represents the component as it exists in that specific tracked context, with its own pipeline and tracked context. Previously, the scanner only created one finding per occurrence on the default branch context, missing non-default tracked contexts entirely.

Changes

  • Add with_occurrence_refs_for_advisory_scan scope to Sbom::Occurrence to preload occurrence_refs with their tracked_context and pipeline, avoiding N+1 queries
  • Chain the new scope in PossiblyAffectedOccurrencesFinder#execute_in_batches
  • Introduce cvs_ingestion_finding_per_occurrence_ref feature flag (wip, default off)
  • When enabled: AdvisoryScanner fans out one finding per occurrence_ref, using each ref's pipeline and tracked_context
  • When disabled: falls back to existing behaviour (one finding per occurrence on the default branch context)

Related

Closes #581948 (closed)

Merge request reports